On Mon, May 23, 2022 at 6:17 PM Stephen Smoogen <ssmoogen(a)redhat.com> wrote:
Applications in Fedora Infrastructure need to be deployed in an auditable and repeatable
way. These methods need to allow someone to determine which software was installed, when
it was installed, and what it was meant to be done (example: rpms or podman build scripts
for containers). The goal is to be kind to our future selves at 2 am who need to figure
out why a critical application is broken and how to rebuild and redeploy as needed.
I like this approach. I don't think there's real value in requiring
that everything be packaged as an RPM, but we do want to make sure we
can re-deploy correctly.
What are the implications for pinning requirements here? Should we
require that each application require specific versions of
dependencies? I don't love that idea, but I love even less the idea of
a stealthy change to a package turning our infrastructure into a
cryptocurrency rig.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis